Brazil’s General Data Protection Law / Lei Geral de Proteção de Dados (LGPD) – an overview

The Lei Geral de Proteção de Dados (LGPD), or General Data Protection Law in English, is a legal framework to regulate the collection and use of personal data in Brazil. It came into effect on August 16, 2020 and is enforced by the Autoridade Nacional de Proteção de Dados (ANPD) or National Data Protection Authority.

The LGPD is not the first or only data privacy law in South America, but it is perhaps the best publicized regulation from that region. The LGPD was influenced by the European Union’s General Data Protection Regulation (GDPR), and has also expanded its coverage beyond the GDPR’s parameters in some areas. The ANPD is also instrumental in the LGPD’s evolution as global regulations, technologies, and digital markets change.

The General Data Protection Law (LGPD) (in Portuguese) is a federal law in Brazil designed to unify 40 existing laws to regulate the processing of personal data of individuals. It was passed on September 18, 2020 and was made retroactive, coming into effect on August 16, 2020. Penalties became enforceable on August 1, 2021, and data subjects and public authorities could enforce their rights starting on September 18, 2020.

The Brazil data protection law is made up of 65 articles in 10 chapters. Article 2 lists the law’s seven fundamentals of personal data protection:

• respect for privacy
• informational self-determination
• freedom of expression, information, communication, and opinion
• inviolability of intimacy, honor, and image
• economic and technological development and innovation
• free enterprise, free competition, and consumer defense
• human rights, free development of personality, dignity, and exercise of citizenship by natural persons

Per Article 3, the LGPD applies to any data processing activities that are either:

• carried out in Brazil
• for the purposes of offering goods and services to, or to process data of, individuals located in Brazil, or
• of personal data collected in Brazil

Data processing carried out by any natural person or public or private legal entity (commonly a business or organization) is covered by the LGPD. The organization doing the data processing does not require a physical presence in Brazil or to be headquartered there. This extraterritoriality component is common to international privacy laws.

Article 4 stipulates that the LGPD does not apply when the processing of personal data:

• is performed by a natural person exclusively for private and non-economic purposes
• is performed solely for journalistic, artistic, and/or academic purposes
• is performed solely for the purposes of public safety, national defense, state security, or investigation and prosecution of criminal offenses
• originates from outside of Brazil and is not the object of communication or shared with Brazilian processing agents or the object of international transfer with a country other than the country of origin (provided the country of origin provides a reasonable degree of data protection)

Article 18 outlines that a natural person whose data is processed under this regulation has the right to:

• confirm that their personal data is being processed
• access their personal data
• correct incomplete, incorrect, or outdated personal data
• have anonymized, blocked, or deleted any unnecessary or excessive data, or data processed in noncompliance with the regulation
• request that a data controller move their personal data to another service or product provider, known as data portability
• delete their personal data, with exceptions as outlined in Article 16
• be given information on public or private entities with which their personal data has been shared and how
• be given information about their right to refuse consent to the processing of their personal data, and consequences of refusal
• revoke consent to the processing of their personal data once given

Definitions in the LGPD are outlined in Article 5. These are some of the most important or frequently referenced.

Information related to (collected from or about) an identified or identifiable natural person.

Personal data linked to a natural person that could be used to identify them, and that is related to:

• racial or ethnic origin
• religious beliefs
• political opinion
• trade union affiliation
• membership to religious, philosophical, or political organizations
• health or sex life data
• genetic or biometric data

Broadly, sensitive personal data has the ability to inflict greater harm if misused.

Article 11 stipulates the specific conditions under which processing of sensitive personal data under the Brazil privacy law is permitted.

Any operation carried out with personal data. This includes:

• collection
• production
• receipt
• classification
• use
• access
• reproduction
• transmission
• distribution
• processing
• archiving
• storage
• deletion
• evaluation or control of information
• modification
• communication
• transfer
• dissemination
• extraction

A natural person or individual whose data is being processed.

A natural or legal person, either public or private, that makes decisions about the processing of personal data. A controller can be an individual, company or other organization.

A natural or legal person, either public or private, that processes personal data on behalf of the controller. Like a controller, an operator can be an individual, company or other organization. Referred to as the “data processor” in some other laws.

Controllers and operators together are known as “processing agents” under the Brazil data protection law.

The communication, dissemination, international transfer, interconnection of personal data, or shared processing of personal databases by public bodies and entities in compliance with their legal powers, or between these and private entities, reciprocally, with specific authorization, for one or more types of processing allowed by these public entities, or between private entities.

International data transfers have been an important issue in data privacy law where countries lack adequacy agreements regarding data protection. Shared use is also important for companies that make their money selling data, as data subjects typically must consent before their data can be shared with or sold to third parties.

This process refers to reasonable and available technical means at the time of processing to remove identifiable markers from data so it loses the possibility of direct or indirect association with an individual. It’s also common under privacy laws to require that the data cannot and will not be deanonymized, i.e. made identifiable again.

Consent is one of the cornerstones of Brazilian data privacy law and is defined as the free, informed, and unambiguous expression by which the data subject agrees to the processing of his or her personal data for a given purpose.

“Free, informed, and unambiguous” are fundamental to definitions of valid consent in other privacy laws that require opt-in consent, like the GDPR.

Article 8 of the Brazil privacy law outlines conditions for obtaining, re-obtaining, and proving receipt of consent, as well as conditions for revocation of consent. It stipulates, among other things, that consent must be given in writing for a specified purpose, and general authorizations for processing personal data are void. The data subject has the right to revoke consent at any time, and it must be as easy to withdraw consent as it is to give it.

The burden of proof that consent was obtained in compliance with the LGPD lies with the controller, making robust consent management practices important.

[H3] Opt-in vs. opt-out

The LGPD uses an “opt-in” model of user consent, which means that, in most cases, organizations cannot collect or process data until the user — an online shopper, website visitor, app user, etc. — explicitly consents to it. This requirement includes both personal data like names and email addresses, but also granular and “behind the scenes” data like that collected by website cookies.

Internationally, other laws, like the EU’s GDPR and South Africa’s Protection of Personal Information Act (POPIA) also use this consent model. In the United States, however, various states, including the California Consumer Privacy Act (CCPA), Virginia Consumer Data Privacy Act (VCDPA), and Texas Data Privacy and Security Act (TDPSA), have implemented an “opt-out” model of user consent.

Organizations subject to these US state-level data privacy laws do not have to obtain user consent prior to collection of data, except in some specific cases. They only have to obtain consent prior to specific actions, like selling or sharing the data, or use of it for targeted advertising or profiling, also with some specific exceptions.

Article 7 outlines the legal bases or circumstances under which data processing may be carried out. As noted, there are 10 legal bases under the Brazilian data privacy law — four more than in the GDPR. The full list of when processing may take place includes:

• with the data subject’s consent
• to comply with the data controller’s legal or regulatory obligations
• for public administration and carrying out public policies set out in law, regulation, or contracts
• for research studies (anonymized where possible)
• to carry out a contract with the data subject
• for the regular exercise of rights in judicial, administrative, or arbitral proceedings
• to protect life or physical safety of the data subject or a third party
• by healthcare or sanitation professionals to safeguard a person’s health
• for the legitimate interest of the data controller or a third party, unless that would infringe upon the data subject’s fundamental rights and liberties
• to protect credit ratings

Legitimate interest(s) as a legal basis for processing data has been popular under other privacy laws, since it could mean less work for the controller and others. Consent doesn’t have to be obtained and managed, for example. It should also be noted that the 10 legal bases for data processing under the Brazil privacy law are not listed hierarchically, and the most appropriate one should be decided based on specific circumstances. Legitimate interest shouldn’t be the first choice or last resort.

Generally, legitimate interest means use of personal data in a way that is reasonably expected (typically by the data subject), beneficial to the controller and subject, but not legally required. “Interest” is a very broad term, and can encompass anything from commercial interests to the public good.

Legitimate interest under Article 10 of the LGPD would apply under several broad conditions:

• the data processing has a clear benefit, but is not legally required
• there is little risk of the processing infringing on data subjects’ privacy
• data subjects can reasonably expect that use of their data

Organizations can’t just claim legitimate interest as their legal basis for their own convenience. The processing does need to be necessary for a defined purpose, and additional transparency is required. Use of legitimate interest requires balancing the rights of data subjects with the interests of data controllers (and possible third parties).

The concept of legitimate interest is less mature in Brazil than in the EU, so there is ongoing discussion about what constitutes legitimate interest and under what circumstances it is appropriate to be applied. There has been concern since the law was drafted about legitimate interest being “carte blanche” for data controllers, and thus its use may draw closer scrutiny from data protection authorities.

There is a three-part test that’s considered best practice before deciding on legitimate interest as a legal basis for data processing:

• purpose test (what is the legitimate interest)
• necessity test (is the processing necessary for the defined purpose)
• balancing test (what are the individual’s/data subject’s interests)

The LGPD gives the ANPD the authority to require data controllers to prepare a Data Protection Impact Assessment/Report (Article 38) when the controller’s chosen legal basis is legitimate interest. This is intended to identify and mitigate the risks to the processing. The processing may not be any riskier than that for which consent is required. But when the necessity of informing users to obtain consent is not present, the same transparency to users does not have to be in place.

There is some debate over whether a DPIA is the right mechanism in such cases, or whether a legitimate interest assessment would be better.

Article 6 provides the Brazil privacy law’s 10 principles governing data processing.

• Purpose: The processing must be carried out for legitimate, specific, and explicit purposes that the data subject is informed about. It cannot be processed for any purpose(s) incompatible with these purposes.
• Adequacy: Processing must be compatible with the purpose(s) that the data subject has been informed about, according to the context of the processing activity.
  Necessity: The processing activity must be limited to the minimum necessary to achieve its purpose(s), covering the relevant data proportional to the stated purpose(s) of the processing.
• Free access: Data subjects are guaranteed free and easy consultation about the completeness of their personal data and the form and duration of the processing activity
• Data quality: The accuracy, clarity, relevance and updating of subjects’ data is guaranteed, according to the need and for the fulfillment of the purpose of its processing
• Transparency: Data subjects are guaranteed clear, accurate, and easily accessible information about the processing and the respective processing agents, as long as commercial and industrial secrets remain safeguarded.
• Security: Technical and administrative measures must be used to protect personal data from unauthorized access, accidental or unlawful destruction, loss, alteration, communication, or dissemination.
• Prevention: Processing agents must adopt corrective measures to prevent damage due to the processing of personal data.
• Nondiscrimination: Processing activity cannot be carried out for illegal or abusive discriminatory purposes.
• Accountability: Data processing agents must demonstrate the adoption of corrective measures to prove observance of and compliance with personal data protection rules, including the effectiveness of such measures.

As can be seen from the principles of processing data under the Brazil privacy law, controllers’ obligations are fairly standard compared to global data protection regulations. Controllers must:

• establish a clear purpose and legal or lawful basis for data processing before any data is collected
• only collect and process the data that is absolutely necessary, and only for the stated purpose(s) and amount of time it’s needed
• collect, access, and store data securely
• provide data subjects with transparent information about what data of theirs is processed, how, and by whom

Key questions for organizations when any privacy law comes into effect include who it applies to, and what the conditions are for compliance.

The Brazil data privacy law requires organizations to implement privacy by design, and a Data Protection Officer (DPO) is key to those activities. Every data processing controller (but not processors) must appoint a DPO, and they are responsible for ensuring organizations’ obligations are met.

Article 41 addresses requirements for a DPO. Due to an Executive Order, it is not mandatory that the DPO be a natural person. The role may be fulfilled by an internal committee or working group, or outsourced to third parties. The DPO’s identity and contact information must be publicly available under the law. They do not have to hold any particular credentials or have specific experience, though this may also change in the future, and some credentials or experience, like relevant legal experience or data security background, may make fulfilling their duties easier.

The DPO liaises with data subjects, receiving communications or complaints from them, and providing information to or adopting measures affecting them. They receive communications from and adopt measures for the ANPD as well.

The DPO ensures that the organization’s employees and relevant third parties, like contractors, are trained in data processing requirements and security measures, and maintain them. They generally carry out other duties as required by the ANPD as well.

The LGPD does not provide specifications about the size of a company or nature of their business or data processing regarding the requirement to have a DPO. The ANPD, by its resolution dated January 27, 2022 (in Portuguese), has made an exemption for small-size data processing agents, which are not required to appoint a DPO. These are defined as microenterprises, small businesses, startups, legal entities governed by private law, non-profits, natural persons, and depersonalized private entities that process personal data. Small processing agents that don’t appoint a DPO must provide a communication channel to accept complaints and communications from data subjects under Article 41.

Data transfer requirements and responsibilities under the LGPD look similar to those under the GDPR. Article 33 outlines when data may be transferred internationally. As noted, the LGPD is extraterritorial in scope, so if data subjects are in Brazil at the time of data processing, the Brazil privacy law applies even if the processing takes place outside Brazil, and data transfer is considered to have taken place.

Organizations can transfer personal data outside of Brazil (e.g. for processing) under the following conditions:

• to countries or international organizations that provide an degree of protection of personal data that is adequate under the LGPD
• when the controller offers and provides guarantees of compliance with the LGPD’s principles and the rights of data subjects in mind, including with contractual clauses
• when the transfer is necessary for international legal cooperation between public intelligence, investigative, and prosecuting bodies, in accordance with international law
• when the cross-border transfer is necessary for the protection of life or physical safety of the data subject or third party
• when the ANPD authorizes the transfer
• when there is an international cooperative agreement enabling the transfer
• when the transfer is necessary to execute public policy or legal attribution of the public service
• when the data subject has given prior and informed consent to the transfer and its specific purpose(s)
• when necessary to meet conditions of items II, V and VI of Article 7

The principles of processing under the Brazilian General Data Protection Law guarantee that data subjects receive clear, precise, and easily accessible information about processing activities and processing agents. This information can be presented in the form of a privacy policy and under Article 9 must include:

• specific purpose(s) of processing
• type and duration of processing
• controller’s identification and contact information
• information regarding the controller’s shared use of data and purpose(s)
• processing agents’ responsibilities
• data subjects’ rights, specifically the rights provided under Article 18

The LGPD stipulates that if a data breach occurs, the controller must report it to the ANPD within a “reasonable” timeframe if it is likely to or has resulted in risk or harm to data subjects. The ANPD, by its resolution dated April 24, 2024 (in Portuguese) has established a timeline and procedures for notification of data breaches to the supervisory authority and to data subjects. Personal Data Security Incidents are covered under Article 48.

Data controllers must communicate a data breach or security incident to the ANPD and to data subjects within three working days from the controller’s knowledge that the incident affected personal data. If the controller is a small-size data processing agent as per the ANPD’s 2022 resolution, the deadline is doubled.

Notifications to the ANPD must include, among other things:

• a description of the nature of the affected personal data
• information about the data subjects involved, detailing the number of children, adolescents, and elderly people, where applicable
• information about the security measures adopted before and after the security incident
• risks created by the incident and identification of possible impacts
• reasons for any delay in communication (if any)
• measures that have or will be adopted to address the breach and prevent a recurrence
• date the data breach occurred, if it can be determined, and the date when it came to the controller’s knowledge
• description of the security incident and, if possible to identify it, the main cause

Communication of the security incident must be done using an electronic form made available by the ANPD.

There are special requirements for notifications to data subjects, including that:

• the communication must use language that is simple and easy to understand
• if it possible to identify them, data subjects must be notified directly and individually using the method the controller normally uses to contact them, including email, telephone, electronic message, or letter
• the notification must include the contact information of person data subjects’ can contact for more information

If it is not possible to identify or directly contact data subjects, the controller must communicate the data breach by means such as via its website, social media, and customer service channels for a period of at least three months.

The ANPD will verify the seriousness of incidents, and can order the controller to adopt measures to safeguard data subjects’ rights if necessary, including broad disclosure of the incident to the media, or measures to mitigate or reverse the effects of it.

The LGPD, like many privacy laws, has special provisions for children and adolescents and their data (Article 14). This is in line with provisions for children’s protection in other Brazilian law and the constitution as well. Under the Brazilian data privacy law a child is anyone under age 12, while an adolescent is anyone between the ages of 12 and 18.

Children’s data can be processed, but their best interests must be taken into consideration, and parental consent (or that of a legal representative) is required for all processing activities, prior to those activities commencing.

Controllers must provide information about the data requested in a clear and accessible manner, as well as addressing the purpose of collection and use of the data. Controllers must also make reasonable efforts, using available technologies, to verify that consent was provided by a parent or legal representative.

The conditions for parental consent for children’s data processing are the same as for adults — free, informed, unambiguous, specific, and outstanding. Children cannot be asked to provide personal information beyond what is strictly necessary when engaging with online apps, games, or other similar activities.

A partial exception to the requirement is when data collection before consent is necessary to be able to contact the parents(s) or legal representative in order to obtain consent for the child’s data process. The data can only be used once and not stored or shared with third parties without consent.

Like many other data protection regulations, the Brazilian data privacy law does not permit processing agents to carry out processing activities or hold personal data indefinitely.

Article 15 outlines when processing of personal data should be terminated. This includes when:

• the specific purpose for the processing has been achieved, or the data is no longer needed to achieve it
• the processing period ends
• the data subject provides notice to exercise their right to revoke consent for processing
• the ANPD determines that there has been a violation of the LGPD’s provisions

Pursuant to the termination of processing, the deletion of collected personal data is covered in Article 16. Generally, personal data must be deleted after the end of processing. Exceptions to this, when the data is not deleted right away are:

• in compliance the controller’s legal or regulatory obligation
• for research study, ensuring anonymization where possible
• transfer to a third party, provided legal requirements for this are respected
• exclusive use by the controller, provided the data is anonymized and there is no third party access

The ANPD is responsible for assessing violations and penalties where noncompliance with the LGPD’s provisions has been established. Under Article 52, these penalties can include fines of up to 2 percent of the organization’s annual revenue in Brazil, up to a maximum fine of 50 million Brazilian reals per violation (~EUR 8-9 million or ~USD 9-10 million). Penalties can also include a daily fine, capped at a total maximum of the above amounts.

The ANPD can also block access to data or further data processing, require deletion of collected personal data, or disclose and publicize the confirmed violation. Individuals do have private right of action, which is the right to sue to seek civil damages for privacy violations.

Under Article 42, if a controller or operator commits a violation of the law that causes “material, moral, individual or collective damage” regarding the protection of personal data, they are obligated to repair it. As noted earlier, individual data subjects can also sue for damages if harmed by a data-related security incident.

In case of a violation that harms data subjects, the controller is the most likely party liable for damages. However, when the operator has failed to comply with data protection obligations, or hasn’t followed the controller’s instructions, they are “jointly [with the controller] and severally liable for the damages caused by the processing”.

Businesses that act as data controllers or processors under the Brazil privacy law can take several steps to comply with their obligations under the regulation.

An LGPD data privacy audit assesses the personal data your organization collects, processes, and stores; where it’s collected from; and evaluates compliance with the LGPD. It examines key areas like consent management, data security measures, and access controls to pinpoint risks and opportunities for enhancement.

If required, designate a DPO to oversee your data protection strategy and operations and monitor compliance with LGPD.

Ensure contracts with third parties (processors) are updated to include specific clauses to promote compliance with the LGPD.

Ensure that you obtain explicit, informed, and unambiguous consent from individuals before collecting and processing their personal data. Use clear and concise language in consent banners and provide options for individuals to change or withdraw consent easily. Using a consent management platform (CMP) like Usercentrics CMP can help you obtain explicit, informed, and specific collect consent.

Create comprehensive privacy policies that inform users about the types of data collected, purposes of data processing, data sharing practices, data retention periods, and user rights under the LGPD. Make these policies easily accessible to users on your website, and update it regularly to ensure changes to your data handling practices are reflected.

The GDPR has undoubtedly influenced the LGPD, which can be seen in several key provisions including the LGPD’s requirements around consent and data portability. There are, however, several areas of the Brazil data protection law that build on the GDPR’s provisions.

Here are some key differences between the two regulations.

The Brazil Data Protection Law has a well established foundation with the influence of the GDPR and Brazil’s existing laws. Its authoritative body, the ANPD, also has a strong role in helping the law mature and evolve as technology continues to evolve. The future of third-party cookies, international trade, child protection, and other considerations are important today and will continue to be as technologies and digital markets evolve.

Organizations will need to prioritize compliance with privacy first design, while balancing it with revenue goals and building customer relationships. The risks of noncompliance are substantial, and most companies cannot afford penalties in the millions of reals.

Fortunately, there are tools like consent management platforms to help companies navigate LGPD requirements.

If you have questions about how the LGPD affects your business, or about consent management for websites and apps, we’re happy to help. Contact one of our experts!